Slide 1

Slide 1 text

APPSEC IN A CONTAINER WORLD AKASH MAHAJAN - DIRECTOR APPSECCO

Slide 2

Slide 2 text

WE NOW LIVE IN A CONTAINER WORLD # Container(Camp|Conf|World)

Slide 3

Slide 3 text

IT/OPS AND DEVS ARE COMING TOGETHER # devops

Slide 4

Slide 4 text

THERE IS A MAJOR SHIFT IN SECURITY #SHIFTLEFT Shannon Lietz (Keynote at DevSecCon Asia 2017)

Slide 5

Slide 5 text

APPSEC TESTING HAS TO BECOME PART OF THE DEVOPS OR BE LEFT BEHIND The reality is, Microsoft Security Dev Lifecycle is about 17 Years Old!

Slide 6

Slide 6 text

CONTAINERS ENABLE SELF-SERVICE AN IMPORTANT ASPECT OF DEVOPS

Slide 7

Slide 7 text

CONTINUOUS * PIPELINE MODE ON CONTAINERS ENABLE INTEGRATION AND DEPLOYMENT ON TAP

Slide 8

Slide 8 text

From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment CHECK FOR SECURITY 1 2 3 4

Slide 9

Slide 9 text

CONTAINERS, APP SEC & OWASP

Slide 10

Slide 10 text

RELEVANT APPSEC RISKS FROM THE POINT OF VIEW OF CONTAINERS OWASP Top 10 Issue What is that? A1 Injection Stuff that harms the server A2 Broken AuthN Stuff that lets attackers access parts of the application, which allows them to upload stuff that harms the server A4 Insecure Direct Object Reference A5 Security Misconfiguration Stuff that makes the infra supporting the app insecure A9 Using components with Known Vulnerabilities Stuff that possibly enables any or all of the above, due to using 3rd party stuff

Slide 11

Slide 11 text

A5 IS A SOLVED PROBLEM, MAYBE!! OWASP A5 - SECURITY MISCONFIGURATION

Slide 12

Slide 12 text

PATCHED UN-PATCHED

Slide 13

Slide 13 text

IMMUTABLE INFRASTRUCTURE FTW!!! Akash Mahajan THERE IS NO REASON TO HARDEN EVERY TIME, WE JUST START FROM SCRATCH AND TAKE THE LATEST PATCHED VERSION EVERY SINGLE TIME

Slide 14

Slide 14 text

A9 CAN BE SOLVED WITH PRIVATE REPOS & REGISTRIES MAYBE OWASP A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES

Slide 15

Slide 15 text

SO WHAT IS YOUR SECURITY NIGHTMARE, KEEPING YOU AWAKE?

Slide 16

Slide 16 text

WHAT ABOUT APPLICATION’S SECURITY?

Slide 17

Slide 17 text

WHAT IS THIS THAT IS GOING TO BURST OUR BUBBLE? 15,000,000 RECORDS FOUND BECAUSE MANAGEMENT HAD WEAK PASSWORD ON APPLICATION 3000 PASSPORTS AND DRIVER’S LICENSES LEAKED BECAUSE THE CONTRACTOR DIDN’T RESET THE CEO’S WEAK PASSWORD ROOT ON RETAIL E-COMMERCE SERVER BECAUSE OUTSOURCED VENDOR ALWAYS USES COMPANY NAME AS CMS ADMIN PASSWORD

Slide 18

Slide 18 text

TYPICALLY AT THIS POINT PEOPLE TRY TO SOLVE SECURITY BY

Slide 19

Slide 19 text

MONITORING IS NOT SECURITY MONITORING IS NOT SECURITY MONITORING IS NOT SECURITY

Slide 20

Slide 20 text

WHILE AUTHN AND AUTHZ GO A LONG WAY IN ENSURING SECURITY OF ACCESS

Slide 21

Slide 21 text

NO AMOUNT OF AUTOMATION CAN SOLVE BIZ LOGIC ISSUES

Slide 22

Slide 22 text

IF ALL YOUR PROCESS ALLOWS FOR IS A FINAL SECURITY REVIEW, THEN

Slide 23

Slide 23 text

From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment CHECK FOR SECURITY 1 2 3 4 AUTOMATED AUTOMATED AUTOMATED NOT-AUTOMATED

Slide 24

Slide 24 text

WHAT CAN THIS NON-AUTOMATED APPROACH LOOK LIKE? IS THERE A CHECKLIST WE CAN FOLLOW?

Slide 25

Slide 25 text

Issues OWASP Top 10 Input based A1, A3, A4, A8, A10 Logic & Design based A2, A5, A6, A7 Access Control A2, A5, A6, A7 Any other A9 API Testing Can span multiple TAKEAWAY

Slide 26

Slide 26 text

THAT APPLICATION SECURITY GUY

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

QUESTIONS @makash | https://linkd.in/webappsecguy | [email protected]